Fix shared memory issue when stripping authorization header from bid …

…requests (prebid#1790)

exchange/bidder.go

@@ -167,10 +167,6 @@ func (bidder *bidderAdapter) requestBid(ctx context.Context, request *openrtb2.B
 		if debugInfo := ctx.Value(DebugContextKey); debugInfo != nil && debugInfo.(bool) {
 			if accountDebugAllowed {
 				if bidder.config.DebugInfo.Allow {
-					// it's safe to mutate the request headers since from this point on the
-					// information is only used for debugging.
-					removeSensitiveHeaders(httpInfo.request.Headers)
-
 					seatBid.httpCalls = append(seatBid.httpCalls, makeExt(httpInfo))
 				} else {
 					debugDisabledWarning := errortypes.Warning{
@@ -331,9 +327,10 @@ func getAssetByID(id int64, assets []nativeRequests.Asset) (nativeRequests.Asset
 
 var authorizationHeader = http.CanonicalHeaderKey("authorization")
 
-// removeSensitiveHeaders mutates the http header object to remove sensitive information.
-func removeSensitiveHeaders(h http.Header) {
-	h.Del(authorizationHeader)
+func filterHeader(h http.Header) http.Header {
+	clone := h.Clone()
+	clone.Del(authorizationHeader)
+	return clone
 }
 
 // makeExt transforms information about the HTTP call into the contract class for the PBS response.
@@ -343,7 +340,7 @@ func makeExt(httpInfo *httpCallInfo) *openrtb_ext.ExtHttpCall {
 	if httpInfo != nil && httpInfo.request != nil {
 		ext.Uri = httpInfo.request.Uri
 		ext.RequestBody = string(httpInfo.request.Body)
-		ext.RequestHeaders = httpInfo.request.Headers
+		ext.RequestHeaders = filterHeader(httpInfo.request.Headers)
 
 		if httpInfo.err == nil && httpInfo.response != nil {
 			ext.ResponseBody = string(httpInfo.response.Body)

exchange/bidder_test.go

@@ -974,6 +974,50 @@ func TestMakeExt(t *testing.T) {
 				Status:         999,
 			},
 		},
+		{
+			description: "Request & Response - No Error with Authorization removal",
+			given: &httpCallInfo{
+				err: nil,
+				request: &adapters.RequestData{
+					Uri:     "requestUri",
+					Body:    []byte("requestBody"),
+					Headers: makeHeader(map[string][]string{"Key1": {"value1", "value2"}, "Authorization": {"secret"}}),
+				},
+				response: &adapters.ResponseData{
+					Body:       []byte("responseBody"),
+					StatusCode: 999,
+				},
+			},
+			expected: &openrtb_ext.ExtHttpCall{
+				Uri:            "requestUri",
+				RequestBody:    "requestBody",
+				RequestHeaders: map[string][]string{"Key1": {"value1", "value2"}},
+				ResponseBody:   "responseBody",
+				Status:         999,
+			},
+		},
+		{
+			description: "Request & Response - No Error with nil header",
+			given: &httpCallInfo{
+				err: nil,
+				request: &adapters.RequestData{
+					Uri:     "requestUri",
+					Body:    []byte("requestBody"),
+					Headers: nil,
+				},
+				response: &adapters.ResponseData{
+					Body:       []byte("responseBody"),
+					StatusCode: 999,
+				},
+			},
+			expected: &openrtb_ext.ExtHttpCall{
+				Uri:            "requestUri",
+				RequestBody:    "requestBody",
+				RequestHeaders: nil,
+				ResponseBody:   "responseBody",
+				Status:         999,
+			},
+		},
 		{
 			description: "Request & Response - Error",
 			given: &httpCallInfo{
@@ -1029,7 +1073,7 @@ func TestMakeExt(t *testing.T) {
 	}
 }
 
-func TestRemoveSensitiveHeaders(t *testing.T) {
+func TestFilterHeader(t *testing.T) {
 	testCases := []struct {
 		description string
 		given       http.Header
@@ -1043,7 +1087,7 @@ func TestRemoveSensitiveHeaders(t *testing.T) {
 		{
 			description: "Empty",
 			given:       http.Header{},
-			expected:    map[string][]string{},
+			expected:    http.Header{},
 		},
 		{
 			description: "One",
@@ -1073,8 +1117,8 @@ func TestRemoveSensitiveHeaders(t *testing.T) {
 	}
 
 	for _, test := range testCases {
-		removeSensitiveHeaders(test.given)
-		assert.Equal(t, test.expected, test.given, test.description)
+		result := filterHeader(test.given)
+		assert.Equal(t, test.expected, result, test.description)
 	}
 }